Analysis
-
max time kernel
162s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 14:36
Behavioral task
behavioral1
Sample
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe
Resource
win10v2004-20230220-en
General
-
Target
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe
-
Size
23KB
-
MD5
540c26994ac206f56ced1ab9097edd71
-
SHA1
ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
-
SHA256
3d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
-
SHA512
8b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
SSDEEP
384:6QeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZkD:l5yBVd7Rpcnud
Malware Config
Extracted
njrat
0.7d
HacKed
cisco5319.ddns.net:1177
22d454c9d4a86e192f7a5423970a5c83
-
reg_key
22d454c9d4a86e192f7a5423970a5c83
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe -
Drops startup file 2 IoCs
Processes:
csrss.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22d454c9d4a86e192f7a5423970a5c83.exe csrss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22d454c9d4a86e192f7a5423970a5c83.exe csrss.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 2648 csrss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
csrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22d454c9d4a86e192f7a5423970a5c83 = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\" .." csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\22d454c9d4a86e192f7a5423970a5c83 = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\" .." csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
csrss.exedescription pid process Token: SeDebugPrivilege 2648 csrss.exe Token: 33 2648 csrss.exe Token: SeIncBasePriorityPrivilege 2648 csrss.exe Token: 33 2648 csrss.exe Token: SeIncBasePriorityPrivilege 2648 csrss.exe Token: 33 2648 csrss.exe Token: SeIncBasePriorityPrivilege 2648 csrss.exe Token: 33 2648 csrss.exe Token: SeIncBasePriorityPrivilege 2648 csrss.exe Token: 33 2648 csrss.exe Token: SeIncBasePriorityPrivilege 2648 csrss.exe Token: 33 2648 csrss.exe Token: SeIncBasePriorityPrivilege 2648 csrss.exe Token: 33 2648 csrss.exe Token: SeIncBasePriorityPrivilege 2648 csrss.exe Token: 33 2648 csrss.exe Token: SeIncBasePriorityPrivilege 2648 csrss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.execsrss.exedescription pid process target process PID 3992 wrote to memory of 2648 3992 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe csrss.exe PID 3992 wrote to memory of 2648 3992 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe csrss.exe PID 3992 wrote to memory of 2648 3992 3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe csrss.exe PID 2648 wrote to memory of 3620 2648 csrss.exe netsh.exe PID 2648 wrote to memory of 3620 2648 csrss.exe netsh.exe PID 2648 wrote to memory of 3620 2648 csrss.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe"C:\Users\Admin\AppData\Local\Temp\3D12A39E3A94131FC5CB7D5AD0A3AE94C94ED9F528A68.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\csrss.exe" "csrss.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
23KB
MD5540c26994ac206f56ced1ab9097edd71
SHA1ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
SHA2563d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
SHA5128b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
23KB
MD5540c26994ac206f56ced1ab9097edd71
SHA1ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
SHA2563d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
SHA5128b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
23KB
MD5540c26994ac206f56ced1ab9097edd71
SHA1ac5b7b5d505d5ec226ee2ecad0e0aa256c080a26
SHA2563d12a39e3a94131fc5cb7d5ad0a3ae94c94ed9f528a68bcdbc50f1316860e157
SHA5128b0f653c5b547409f587b0440fd7d070f1b247be8562fdf9712479cf69c0d720cc19fc7a8850499de89c2588023e849c5647b4b27f54543c7d5e1c49388782cd
-
memory/3992-133-0x0000000000CA0000-0x0000000000CB0000-memory.dmpFilesize
64KB
-
memory/3992-134-0x0000000000CA0000-0x0000000000CB0000-memory.dmpFilesize
64KB